In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA) to date. As the fines affected individuals in multiple Member S...
Commercial & TechnologyThe EDPB has released new draft guidelines 2/2019 on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects. The guidelines emphasise the narrow scope of the contractual necessity legal basis. A controller must be able to demonstrate that the processing is ‘objectively necessary’ for a purpose that is ‘integral’ to...
Commercial & TechnologyOn 3 April 2019, the Joint Committee on Justice and Equality met to discuss the implementation of the GDPR with Ms Anna Morgan (Deputy Commissioner), Ms Jennifer O’Sullivan (Deputy Commissioner), and Mr Cathal Ryan (Assistant Commissioner). The Commissioners discussed a range of issues, including the enforcement powers used by the Data Protection Commission (DPC) post-GDPR, the difficulties wit...
Commercial & TechnologyThe much-anticipated text of the Government's Gender Pay Gap (GPG) Information Bill (the Bill) has now been published. In amending the Employment Equality Acts 1998-2015, the Bill envisages that the Minister for Justice and Equality (the Minister) will make additional regulations that will require certain Irish employers to report and publish details of both their GPG and gender bonus gaps. In...
EmploymentThe EDPB has published its first review of the implementation of the GDPR, in particular the functioning of the cooperation and consistency mechanism. The GDPR requires EU Data Protection Supervisory Authorities (SAs) to cooperate in order to provide a consistent application of the GDPR. The EDPB concludes that nine months after the entry into force of the GDPR, the cooperation and consistency...
Commercial & TechnologyThe Advocate General of the Court of Justice of the EU (CJEU) has delivered an Opinion in the Planet49 case (Case C-673/17), finding that a pre-ticked checkbox giving consent for cookies does not constitute valid consent under the e-Privacy Directive 2002/58 read in conjunction with the Data Protection Directive 95/46 or the GDPR. Facts In order to participate in a lottery organised by Planet...
Commercial & TechnologyOn 4 March 2019, Minister Richard Bruton TD announced that he will introduce an Online Safety Act to regulate harmful content online and ensure children are safe online. The Act will also implement the revised Audiovisual Media Services (AVMS) Directive (which Member States are required to implement by 19 September 2020). The Minister stated that the era of self-regulation in regard to online...
Commercial & TechnologyThe Data Protection Commission (DPC) has published the results of the annual Global Privacy Sweep for 2018, which examined how well organisations are implementing the concept of accountability. The Global Privacy Enforcement Network members made contact with 356 organisations in 18 countries during the Sweep. It found that while there were examples of good practice reported, a number of organi...
Commercial & TechnologyBy any measure, 2018 was a historic year for data protection law with the coming into effect of the GDPR on 25 May 2018. Ireland plays an important role in the regulation and enforcement of data protection law and decisions of the Irish courts have had a disproportionate impact on European data protection jurisprudence.
Commercial & TechnologyThe EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here). The Information Note on Data Transfe...
Commercial ContractsThe EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here). The Information Note on Data Tra...
Commercial ContractsThe European Data Protection Board (EDPB) has adopted an Opinion (3/2019) on the interplay between the EU Clinical Trials Regulation (536/2014) (CTR) and the GDPR, following a request from the European Commission to review its Q&A on the topic. The CTR, which is expected to enter into force in 2020, aims to harmonise the rules for conducting clinical trials throughout the EU. It does not conta...
Commercial & Technology